|
|
@@ -0,0 +1,33 @@
|
|
|
+{
|
|
|
+ "extractors": [
|
|
|
+ {
|
|
|
+ "title": "UniFi AP Events",
|
|
|
+ "extractor_type": "grok",
|
|
|
+ "converters": [],
|
|
|
+ "order": 0,
|
|
|
+ "cursor_strategy": "copy",
|
|
|
+ "source_field": "message",
|
|
|
+ "target_field": "unifi_ap_event",
|
|
|
+ "extractor_config": {
|
|
|
+ "grok_pattern": "%{DATA:access_point} %{DATA:unifi_device_mac_address}(?:,%{DATA:ap_model})?: %{DATA:stahtd}: %{DATA:stahtd_process}\\[%{INT:stahtd_id}\\]: %{DATA:stahtd_event}: %{GREEDYDATA:json_data}"
|
|
|
+ },
|
|
|
+ "condition_type": "regex",
|
|
|
+ "condition_value": "stahtd"
|
|
|
+ },
|
|
|
+ {
|
|
|
+ "title": "UniFi Firewall Log",
|
|
|
+ "extractor_type": "grok",
|
|
|
+ "converters": [],
|
|
|
+ "order": 1,
|
|
|
+ "cursor_strategy": "copy",
|
|
|
+ "source_field": "message",
|
|
|
+ "target_field": "unifi_fw",
|
|
|
+ "extractor_config": {
|
|
|
+ "grok_pattern": "%{DATA:device_name} \\[%{DATA:fw_rule_id}\\] DESCR=\\\"\\[%{DATA:fw_rule_group}\\]%{DATA:fw_rule_name}\\\" IN=%{DATA:fw_in_iface} OUT=%{DATA:fw_out_iface} MAC=%{DATA:fw_mac} SRC=%{IP:src_ip} DST=%{IP:dst_ip} LEN=%{INT:ip_len} TOS=%{DATA:tos} PREC=%{DATA:prec} TTL=%{INT:ttl} ID=%{INT:packet_id} DF PROTO=%{WORD:proto}(?: SPT=%{INT:src_port})?(?: DPT=%{INT:dst_port})?(?: SEQ=%{INT:seq})?(?: ACK=%{INT:ack})?(?: WINDOW=%{INT:window})?(?: SYN)?(?: URGP=%{INT:urgp})?(?: UID=%{INT:uid})?(?: GID=%{INT:gid})?(?: LEN=%{INT:payload_len})? MARK=%{DATA:fw_mark}"
|
|
|
+ },
|
|
|
+ "condition_type": "regex",
|
|
|
+ "condition_value": "\\[.*\\] DESCR="
|
|
|
+ }
|
|
|
+ ],
|
|
|
+ "version": "6.2.2"
|
|
|
+}
|
Lawrence Systems